Recovering from Sophos AntiVirus Incident on September 19th

Date Created: 9/25/2012 12:27:55 PM

Dear NAU PC Users,

In the Early afternoon of Wednesday September 19th, NAU’s Anti-Virus software vendor, Sophos, pushed a faulty virus definition update to all their customers. This affected NAU and personally owned Windows computers running Sophos AntiVirus. The faulty update caused Sophos to mistakenly identify any application or application component with “update” in its name as being infected with malware called “Shh/Updater-B”

NAU ITS and our IT Pro partners across campus quickly realized that something was wrong, and ITS PC Support put new settings in place on our enterprise AntiVirus console to minimize the damage. Sophos issued a corrected update about an hour later.

Sophos AntiVirus’ mistakenly quarantining or deleting files may have damaged the installation of any applications that included a file with the word “update” in their names, which includes Java, Flash, Google Chrome, and Sophos AntiVirus itself among others. This last fact, that Sophos may have quarantined or deleted its own update module, has broken Sophos Antivirus for an undetermined number of NAU customers.

If you use Sophos AntiVirus obtained from NAU on your work or home machine, and you don’t see the Sophos shield icon in your windows system tray, your install is damaged and Sophos is no longer protecting your system properly. We are providing an automated script which will attempt to restore Sophos to working order on your PC.

Method 1

Here is a set of steps to fix the problems we’ve been seeing with Sophos for both on-campus and home-use computers:

Unzip the contents to the Desktop folder (note: fix won’t work unless it’s in the desktop folder, specifically).

Open the file “Run_Me” as an Administrator (logged in as an Administrator in XP; in Vista/Win7 – right-click, “Run as Administrator”).

Reboot after the script completes.

Sophos should now be present in the system tray.

Method 2

Alternatively, we have a backup plan in case the Sophos script doesn’t work and it requires the use of Microsoft Fix It. Once a user attempts to uninstall Sophos through “Add/Remove Programs” (XP) or “Programs and Features” (Vista/7), the Sophos script absolutely won’t work anymore. Therefore, please ensure that you’ve tried Method 1 multiple times before resorting to Method 2. Here are the steps:

Back up the quarantine folder. These files can be used to help restore other applications that were impacted by Sophos problem.

Please select the appropriate version for either a home system or an NAU owned system.

If, after following the instructions above and restarting your PC, the Sophos shield does not reappear, please call the ITS Solution Center at 928-523-1511 for further assistance.

Another, more manual strategy to recover Sophos and other affected apps is to start the Sophos application on your system, click on the “View anti-virus and HPS Log” button, scroll up to the afternoon of September 19th and see what files, if any, your system mistakenly identified as “Shh/Updater-B” and what Sophos did with them. If it moved them to quarantine and renamed them, the log will show you the original name and location of each file as well as the location of the renamed, quarantine file. You can repair Sophos and most other applications by copying the quarantined files back to their original locations, renaming the files to remove the “.000” Sophos added at the end of their names and then restarting your PC.

If you had Sophos configured to delete infected files, check the log as described in the previous paragraph to identify which applications were affected. To repair these applications, you can recover the deleted files from a recent backup (if you have one) or uninstall and re-install the affected apps. (You may need to use Microsoft’s Fix-It tool to successfully uninstall damaged installations.)